Summary and Committee’s conclusions

5.1The recently adopted General Data Protection Regulation (GDPR)25 applies rules on the processing and free movement of personal data to Member States and data controllers/processors within the EU26 and is intended to be extended to the EEA. It will be directly applicable in Member States from 25 May 2018. It is an important piece of EU legislation, required to facilitate the Digital Single Market, to update the 1995 rules in line with technological developments, to strengthen online privacy rights and to address divergent implementation by Member States. The Government has committed to ensuring that UK law complies with the GDPR by the May deadline.27

5.2EU data protection rules are likely to remain relevant and significant for the UK after Brexit. This is because any future trading with the EU will probably involve the cross-border exchange of personal data from the UK as a third country to the EU. We address this issue both in our conclusions and at paragraphs 5.21–5.22 of this chapter.

5.3The purpose of this proposed Regulation is to adapt the new GDPR rules to EU institutions, agencies and other bodies and also anticipates the proposed reform of the current e-Privacy Directive28 (see chapter 6 of this Report). The proposal is a recast of the current Regulation (EC) 45/2001 applicable to the EC/EU institutions, agencies and other bodies which is based on the rules in the 1995 Data Protection Directive.29 It is likely to be directly applicable in the UK before Brexit, coming into effect at the same time as the GDPR.

5.4As the obligations in this proposal are imposed on data controllers and processors in EU bodies, the Government broadly assesses the impact on the UK to be minimal (excluding UK-based external processors used by the EU). However, it is seeking to ensure that, where possible, the same obligations and protections are applied to EU institutions as under the GDPR. It does not comment on any possible Brexit implications but we pursue these in our conclusions below.

5.5We thank the Minister of State for Digital and Culture (Matthew Hancock) for his Explanatory Memorandum, which is particularly helpful in highlighting areas where the present proposal diverges from the General Data Protection Regulation (GDPR) adopted last year.

5.6We note that the Commission intends the proposal, once adopted, to apply from 25 May 2018, at the same time as the new GDPR. We agree with the Minister that on the expected timings of the Brexit negotiations,30 it is likely that this proposal will apply to the UK before Brexit. However, as the Minister observes, the obligations envisaged by this proposal are not for Member States and the “impact will mostly fall on the data controllers in EU institutions”, except for any UK-based “external” data processors used by them. So although at present this proposal seems to have little impact for the UK, we welcome the Minister’s vigilance in seeking to ensure consistency between this proposal and the GDPR. It is important that UK and other EU citizens and businesses should enjoy the same level of protection when their data is being processed by EU bodies as under the GDPR in the case of the Member States and other data controllers/processors.

5.7However, we wonder whether the handling of the personal data of UK citizens by EU institutions could possibly assume more significance after Brexit. Subject to any specific agreement reached as part of the UK’s future relationship with the EU,31 “third country” UK citizens might have to submit even more data than at present to EU bodies and centralised EU databases to acquire authorisation respectively to travel, work or provide services in the EU. It is therefore disappointing that the Minister has not commented from a Brexit viewpoint on Chapter V of the proposal which addresses the transfer of personal data to “third countries and international organisations”. In this respect, we also await the Minister’s Explanatory Memorandum on a Commission Communication,32 which we have requested for deposit, on the issue of international transfers of data entitled “Exchanging and Protection Personal Data in a Globalised World”. Even putting Brexit to one side, the Court ruling in Schrems33 on the EU-US Privacy Shield alone highlights this as an area on which the Minister should comment.

5.8It would be very helpful, when the Minister next writes, if he could explain how obligations under this proposal tie in with discrete obligations in relation to the handling of data relating to EU centralised databases, many of them having a law enforcement purpose. We note that the Government is already considering the relationship between this proposal and the ePrivacy proposal and we look forward to hearing more from the Government on this in due course.

5.9As we expect negotiations to move quickly on this proposal, we ask the Minister to keep us informed of developments on the document but retain it under scrutiny in the meantime. We draw this chapter and document to the attention of the Culture, Media and Sport Committee.

Full details of the documents

Proposed Regulation on the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC: (38446), 5034/17 , COM(17) 8.

The proposed Regulation

5.10Article 2(3) of the GDPR requires Regulation 45/2001 to be updated so as to create a coherent data protection framework. The Commission’s evaluation of the existing rules also concluded that in particular, a risk management approach, i.e. data protection impact assessments, and a sanctions regime should be adopted.

5.11Accordingly, the key changes proposed include:

Stricter conditions for when consent is being used as a legal base for processing personal data: The data subject’s consent must be explicitly given for it to be valid. If consent is to be in a written declaration, the request must be clear and distinguishable from other matters;

Restrictions on the validity of a child’s consent when information society services are being offered: Consent will only be valid if the child is at least 13 years old;

Further obligations on data controllers: Including the requirements to conduct an impact assessment and notify the European Data Protection Supervisor (EDPS) of a personal data breach within 72 hours in certain circumstances. The proposals maintain the GDPR’s risk based approach to these obligations;

An expanded right to erasure (or “right to be forgotten”): This includes an obligation for any controller who has made the personal data public to take reasonable steps to inform other controllers that any links to the data and replications of it should also be erased;

A new right to data portability: This requires the controller in certain circumstances to allow data subjects to receive their personal data in a structured, commonly used, machine-readable format;

An expanded right to object to processing for scientific or historical research or statistical purposes: Unless the processing is necessary for a task in the public interest;

Limitation of the period in office for the EDPS: To a maximum of two terms of five years; and

A tier-based sanctions regime for breaches: The maximum fine is €50,000 (£42,468)34 for certain breaches, with an annual cap of €500,000 (£424,680).35

The Government’s view

5.12In an Explanatory Memorandum of 31 January 2017, the Minister of State for Digital and Culture (Matthew Hancock) first rehearses the Government’s standard statement on the UK’s position in the EU as a Member State following the Referendum outcome.36 He clarifies that if the Commission succeeds in its aim of having the proposal come into force in May 2018 with the GDPR, and exit negotiations are still ongoing, then the proposed Regulation will be directly applicable in the UK.

5.13However, he does not expect the proposal to have any direct impact on the UK or entail any significant financial implications, given that the obligations it imposes are on data controllers and processors in the EU institutions, agencies and other bodies.

Policy implications

5.14He then explains the Government’s assessment of the policy implications of the proposed Regulation. He says that the Government:

favours a proportionate approach, striking the balance between the protection of personal data and promoting the free flow of data that is necessary;

considers that as the proposed Regulation applies to the processing of personal data by the EU institutions, agencies, and bodies, it has little direct impact on the UK;

maintains that despite the lack of UK impact, consistency between regimes is important both for data subjects’ rights and for the sharing of personal data between public authorities; and

believes that the proposals should mirror the provisions of the GDPR in all areas where it is appropriate.

Need for greater alignment with the GDPR

5.15The Minister notes that some differences are due to the smaller range of processing done by the EU institutions, so for example, there is no right to object to processing for direct marketing purposes, as this processing is not done by the EU institutions.

5.16However, he adds that the Government believes that the justification for other differences is less clear and will therefore consider whether there should be greater alignment with the GDPR, in particular in the following cases:

Data subject’s complaint: a clarification that if a complaint is not handled or responded to by the EDPS within three months, then it should be presumed to have been rejected;

Greater derogations for international transfers: If a public authority under the GDPR wishes to make an international transfer as part of its public powers, it is not allowed to rely on the derogations for when the data subject has consented to the transfer, or the derogations involving the performance of a contract with the data subject. However, the text appears to permit Union institutions, bodies, and agencies to rely on these derogations;

Different scope for derogations to the GDPR: The draft Regulation expands the purposes for which derogations can be made so that they can include processing for the purpose of protecting the internal security of Union institutions and bodies including their electronic communications networks. However, the range of rights the derogations may be applied to has been narrowed: Union institutions and bodies may not derogate from their obligations in relation to the data subject’s right to object and the right not to be subjected to decisions based on automatic processing; and

A different regime for sanctions: There is a two tiered system for fines, unlike the GDPR’s three tiered system.37 Infringements of the first tier include breaches of the requirements for a data protection officer, and security breaches. These incur a fine of up to €25,000 (£21,234)38 per infringement. The second tier covers infringements of the data protection principles, the obligation for lawful processing, the conditions for consent, conditions for processing sensitive data, the rights of the data subject, and the provisions for international transfers. These incur a maximum fine of €50,000 (£42,468)39 per infringement. There are certain elements of the text that do not appear to fall into either tier. These include breaches of the conditions for processing compatibility, the safeguards for processing personal data for research purposes including archiving, and the obligations imported from the draft ePrivacy Regulation.

Alignment with the proposed ePrivacy Regulation

5.17In terms of aligning the existing Regulation with the proposed ePrivacy Regulation,40 the Minister highlights that the proposals import the obligation to protect the confidentiality of electronic communications, and to protect information related to users’ terminal equipment when users access the EU’s public websites and applications. He says that Government will be considering in detail the relationship between the two proposals.

Impact on UK “external processors” used by the institutions

5.18Despite the fact that the proposal applies to data controllers in the institutions, the Minister says that the Government will be assessing the potential impact of the proposal on UK “external processors” employed by them and identifying overlap between their obligations in this proposal and the GDPR and any uncertainty in the scope of the proposals which make it unclear which law applies to them.

Recognition and enforcement of third country judgments

5.19Article 50 deals with recognition and enforcement of judgments or administrative decisions by third countries in circumstances where there is a mutual legal assistance treaty in force between the third country and the EU. The Minister explains that this replicates Article 48 of the GDPR in which Government says it does not participate.41

Timetable for negotiations

5.20Negotiations are expected to start early during the term of the Maltese Presidency given that the Commission intends for the Regulation to apply from 25 May 2018 in order to ensure consistency with the GDPR.

Data exchange between the EU institutions and third countries

5.21The Minister does not comment on data exchange between the EU institutions and third countries from a Brexit point of view.42 Chapter V of this proposed Regulation “Transfer of data to third countries or international organisations” appears to be modelled on provisions for data exchange with third countries under the GDPR. So, for example, Article 48 of the proposed Regulation on “adequacy decisions” references Article 45 of the GDPR. Transfers of data by EU institutions to a third country, a territory or one or more specific sectors in the third country, or an international organisation can only take place if the EU has decided that they ensure an adequate level of data protection for EU citizens.43

5.22We therefore suggest that, as such, adequacy decisions under the proposed Regulation would be subject to the same CJEU rulings as those under the GDPR. The CJEU’s decision in Schrems44 has set the bar for how those decisions need to comply with Charter of Fundamental Rights provisions, namely Article 7 (right to respect for private and family life) and Article 8 (protection of personal data).

25 Regulation 2016/679 of the EP and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). On 4 May 2016, the official text of the Regulation was published in the EU Official. While the Regulation entered into force in 4 May 2016, it shall apply from 25 May 2018.

26 Note though that the GDPR also catches data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behaviour (within the EU) of EU data subjects. This means in practice that a company outside the EU which is targeting consumers in the EU will be subject to the GDPR.

27 For example, when the Minister gave evidence to the Internal Market Sub-Committee of the Lords’ European Union Committee on 19 January 2017, see Q67.

28 Proposed Regulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on privacy and electronic communications): (38455), 5358/17 + ADDs 1–6, COM(17) 10.

36 On 23 June, the EU referendum took place, and the people of the United Kingdom voted to leave the European Union. Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force. During this period, the Government will continue to negotiate, implement, and apply EU legislation. The outcome of the exit negotiations will determine what arrangements apply in relation to EU legislation in future once the UK has left the EU.

37 The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to impose fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million (eg breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent). Other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10m.

41 For the Written Ministerial Statement on this purported opt-in decision, made in the absence of a Title V AFSJ legal base: HC Deb, 4 February 2016 col 511WS.

42 Note that the EM does highlight disparities between derogations not available to public authorities in relation to international transfers under the GDRP that the EU institutions are able to rely on under the proposal.

43 Or failing that, by way of a number of other specified mechanisms such as binding corporate rules or contractual clauses (see Article 46 of the GDPR).